0

Make tshark undissect the data layer

asked 2022-11-27 12:51:51 +0000

liron
1

Hi, Is there any option to run tshark without dissecting the data layer? I want to get the bytes or hex of the data layer in my json output

Thanks!

edit retag flag offensive close merge delete

1 Answer

Sort by » oldest newest most voted

0

answered 2022-11-28 18:05:09 +0000

flag of Netherlands

176 ●63 ●3

Use the option --disable-protocol to stop dissecting that protocol and treat it as data instead.

edit flag offensive delete link

Comments

Thank you for your answer! Is there any way to disable all the data layer protocols at once? Or I must disable only specific ptorocols?

liron ( 2022-11-28 22:28:54 +0000 )edit

That depends on what you mean by "data layer protocol":

For 'data link layer protocol' it is probably easier to list the protocols like --disable-protocol eth
For protocols on top of TCP you can use the 'decode as' option: -d tcp.port==0-65535,data

André ( 2022-11-29 18:55:41 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Question Tools

2 followers

Stats

Asked: 2022-11-27 12:50:55 +0000

Seen: 112 times

Last updated: Nov 28 '22

Related questions

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.

Powered by Askbot version 0.10.2